CVE-2026-15062
Snowflake · Snowpark Python SDK
SQL injection vulnerabilities in the Snowflake Snowpark Python SDK allow authenticated low-privilege users to execute unauthorized SQL queries and potentially exfiltrate data.
Executive summary
Authenticated low-privilege users can exploit SQL injection flaws in the Snowflake Snowpark Python SDK to escalate privileges and access unauthorized data.
Vulnerability
The SDK fails to properly neutralize SQL syntax in several methods, including DataFrameReader.dbapi() and DataFrame.to_csv(). By injecting crafted payloads into column names or file paths, an authenticated user can manipulate SQL execution flow to bypass authorization scopes.
Business impact
This vulnerability allows authenticated users to perform actions exceeding their intended permissions, including cross-tenant data exfiltration and unauthorized reading of sensitive account data. With a CVSS score of 9.6, the risk of significant data breach and violation of regulatory compliance standards is extremely high for organizations relying on Snowflake for data processing.
Remediation
Immediate Action: Update the Snowpark Python SDK to version 1.53.0 or higher across all development and production environments.
Proactive Monitoring: Audit database query logs for unusual access patterns or SQL commands originating from the Snowpark SDK that deviate from expected application behavior.
Compensating Controls: Implement strict database-level role-based access controls (RBAC) to limit the impact of a compromised session, ensuring the service account used by the SDK has the minimum required permissions.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations utilizing the Snowflake Snowpark Python SDK should treat this as a critical update. Given the risk of data exfiltration, ensure that all instances are patched and review IAM policies to enforce the principle of least privilege.